From ef956ab4cc0c52e48f3dfc8ac3f2cbe0ca372e02 Mon Sep 17 00:00:00 2001
From: Allen Golbig <allen.m.golbig@nasa.gov>
Date: Mon, 26 Jul 2021 14:56:11 -0400
Subject: [PATCH] first monty rules

---
 .../icloud/icloud_private_relay_disable.yaml  | 48 +++++++++++++++++++
 rules/os/os_recovery_lock_enable.yaml         | 40 ++++++++++++++++
 .../os/os_skip_unlock_with_watch_enabled.yaml | 44 +++++++++++++++++
 .../sysprefs_airplay_receive_disable.yaml     | 32 +++++++++++++
 4 files changed, 164 insertions(+)
 create mode 100644 rules/icloud/icloud_private_relay_disable.yaml
 create mode 100644 rules/os/os_recovery_lock_enable.yaml
 create mode 100644 rules/os/os_skip_unlock_with_watch_enabled.yaml
 create mode 100644 rules/sysprefs/sysprefs_airplay_receive_disable.yaml

diff --git a/rules/icloud/icloud_private_relay_disable.yaml b/rules/icloud/icloud_private_relay_disable.yaml
new file mode 100644
index 00000000..5ddbfb3a
--- /dev/null
+++ b/rules/icloud/icloud_private_relay_disable.yaml
@@ -0,0 +1,48 @@
+id: icloud_private_relay_disable
+title: "Disable iCloud Private Relay"
+discussion: |
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'allowCloudPrivateRelay = 0'
+result:
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - AC-20
+    - AC-20(1)
+    - CM-7
+    - CM-7(1)
+    - SC-7(10)    
+  800-53r4:
+    - CM-7
+    - CM-7(1)
+    - AC-20
+    - AC-20(1)
+  srg:
+    - N/A
+  disa_stig:
+    - APPL-12-XXXXXX
+  800-171r2:
+    - N/A
+macOS:
+  - "12.0"
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cnssi-1253
+  - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.applicationaccess:
+    allowCloudPrivateRelay: false
diff --git a/rules/os/os_recovery_lock_enable.yaml b/rules/os/os_recovery_lock_enable.yaml
new file mode 100644
index 00000000..bdd76d3b
--- /dev/null
+++ b/rules/os/os_recovery_lock_enable.yaml
@@ -0,0 +1,40 @@
+id: os_recovery_lock_enable
+title: "Enable Recovery Lock"
+discussion: |
+  A recovery lock password _MUST_ be enabled and set. 
+
+  NOTE: Recovery lock passwords are not supported on Intel devices.
+check: |
+  /usr/libexec/mdmclient QuerySecurityInfo | /usr/bin/grep -c "IsRecoveryLockedEnabled = 1"
+result: 
+  integer: 1
+fix: |
+   NOTE: The SetRecoveryLock command can be used to set a Recovery Lock password.
+references:
+  cce:
+    - N/A
+  cci:
+    - N/A
+  800-53r5:
+    - AC-6
+  800-53r4:
+    - AC-6
+  srg:
+    - N/A
+  disa_stig:
+    - APPL-12-XXXXXX
+  800-171r2:
+    - 3.1.5
+macOS:
+  - "12.0"
+tags:
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cnssi-1253
+  - stig
+severity: "medium"
+mobileconfig: false
+mobileconfig_info:
\ No newline at end of file
diff --git a/rules/os/os_skip_unlock_with_watch_enabled.yaml b/rules/os/os_skip_unlock_with_watch_enabled.yaml
new file mode 100644
index 00000000..067f97b6
--- /dev/null
+++ b/rules/os/os_skip_unlock_with_watch_enabled.yaml
@@ -0,0 +1,44 @@
+id: os_skip_unlock_with_watch_enabled
+title: "Disable Unlock with Apple Watch During Setup Assistant"
+discussion: |
+  The prompt for Apple Watch unlock setup during Setup Assistant _MUST_ be disabled. 
+  
+  Disabling Apple watches is a necessary step to ensuring that the information system retains a session lock until the user reestablishes access using an authorized identification and authentication procedures.
+check: | 
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'SkipUnlockWithWatch = 1'
+result:
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci:
+    - CCI-000381
+  800-53r5:
+    - AC-20
+  800-53r4: 
+    - AC-20
+  srg: 
+    - N/A
+  disa_stig: 
+    - APPL-12-XXXXXX
+  800-171r2:
+    - 3.1.20
+macOS:
+  - "12.0"
+tags:
+  - 800-53r5_low
+  - 800-53r5_moderate
+  - 800-53r5_high
+  - 800-53r4_low
+  - 800-53r4_moderate
+  - 800-53r4_high
+  - 800-171
+  - cnssi-1253
+  - stig
+severity: "medium"
+mobileconfig: true
+mobileconfig_info:
+  com.apple.SetupAssistant.managed:
+    SkipUnlockWithWatch: true
diff --git a/rules/sysprefs/sysprefs_airplay_receive_disable.yaml b/rules/sysprefs/sysprefs_airplay_receive_disable.yaml
new file mode 100644
index 00000000..e1a96ad4
--- /dev/null
+++ b/rules/sysprefs/sysprefs_airplay_receive_disable.yaml
@@ -0,0 +1,32 @@
+id: sysprefs_airplay_receiver_disable
+title: "Disable Airplay Receiver"
+discussion: |
+check: |
+  /usr/bin/profiles -P -o stdout | /usr/bin/grep -c 'AirplayRecieverEnabled = 0'
+result:
+  integer: 1
+fix: |
+  This is implemented by a Configuration Profile.
+references:
+  cce:
+    - N/A
+  cci: 
+    - N/A
+  800-53r5:
+    - N/A
+  800-53r4: 
+    - N/A
+  srg: 
+    - N/A
+  disa_stig: 
+    - N/A
+  800-171r2:
+    - N/A
+macOS:
+  - "12.0"
+tags:
+  - none
+mobileconfig: true
+mobileconfig_info:
+  com.apple.controlcenter:
+    AirplayRecieverEnabled: false